Standard best practice in computer security involves always keeping all your devices up-to-date so that malicious evil-doers cannot exploit known vulnerabilities and weaknesses to their advantage. However, the problem is the word “known”. Not all vulnerabilities and weaknesses are immediately reported and published. On one hand, there is a generally accepted grace period for those that practice “responsible disclosure”: software owners usually have about three months to fix reported vulnerabilities before they are made public. Alongside publication, remediation measures are also documented – and applied through the standard update mechanisms. However, some people, organisations or companies prefer a different approach. Instead of “responsible disclosure”, they collect weaknesses and vulnerabilities to allow evil deeds, selling them to the highest bidder (often on the black market), or using them for offensive action like espionage or other cyber-attacks…
So let’s look at another standard best practice in computer security: reduction of the attack surface. The fewer software packages that are installed on a device, the “better” they are programmed, or the less “mainstream” they are on the market, the smaller the attack surface. Software which does not exist or is not running on a device does not pose any potential risk. Software of high quality that is well programmed, with best-practice security principles in mind, is harder to exploit. And software that is not “mainstream” might not be the main target for attackers as it is not prolific enough to create revenue when abused.
Operating systems aside, for standard Windows PCs but also for Mac and Linux computers, some of the applications with the most vulnerabilities reported in 2017 are Microsoft Edge, Apple Safari, Adobe Acrobat and Acrobat Reader, and Oracle Java JDK and JRE. While there are others, those listed have maximum domination of the IT market and are installed on many different devices – most likely including yours. But do you really need them? Or are there similar, less common products that have less chance of being exploited?
For sure there are. And this is the main reason why CERN has chosen “PDF-Xchange” for Windows PCs and “PDF Expert” for Mac systems as its new default readers for PDFs. Together with other security measures (namely CERN’s sophisticated SPAM filtering engine), this new default reader will avoid computer infections coming via malicious PDF documents aimed at exploiting the vulnerabilities of the market leader. While we do not necessarily believe that the software has fewer vulnerabilities, the chances of them being exploited is just much lower, as most malicious evil-doers will concentrate on mainstream products – the list above – and abuse them for their deeds.
Do you want to do more? Review the software installed on your devices, in particular if it is listed here. Remove applications which you do not need or rarely use in order to reduce your personal attack surface. Think also about replacements. There are many good (i.e. more secure) and sometimes free alternatives to your favourite browser or PDF reader. And of course, for the rest: make sure that they are all up-to-date. “Secunia” provides a good tool for you to check (if you want to install another application to rule them all).
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, visit our website or contact us at Computer.Security@cern.ch.